Adopting A Cyber Kill Chain Strategy

By Abhijitt Mukharjji

A strategy to build a resilient cyber defence that is capable of defending every organisation, no matter how, much the threat landscape changes around an organisation.  So let us see what is so special in Cyber Kill Chain that promises to never die when it comes to defending the Cyber realms of an organisation.

Cyber Kill Chain was designed by Lockheed Martin, USA and it succinctly breaks down an entire life cycle of a Cyber Attack in 7 steps.  The main advantage of breaking down the lifecycle into distinct identifiable steps helps bringing up commensurate controls to mitigate a cyberattack proactively well ahead within the nascent and forming stages of an attack thereby preventing an organisation from the pains and losses of suffering an attack in the first place.

The infographic below shows the 7 steps of Cyber Kill Chain:

  1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
  2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
  3. Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
  4. Exploitation: Malware weapon’s program code triggers, which takes action on target network to exploit vulnerability.
  5. Installation: Malware weapon installs access point (e.g., “backdoor”) usable by intruder.
  6. Command and Control: Malware enables intruder to have “hands on the keyboard” persistent access to target network.
  7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

Of the above 7 steps of a typical lifecycle of a Cyber Attack, we have no control over the stage 2 of the lifecycle which is Weaponization because that is going to happen in the zone of influence or control of the attackers, perpetrators or organised groups, it could be in the Security Operating Centre (SOC) of the organized hacking groups or nation state threat actors.

Firewall – Appliances or devices used to delineate Internet or external network with internal network or LAN.

SIEM – Security Incident and Event Management applications like Splunk, Alien Vault, etc.  These applications have the capability to correlate threat intelligence with the events and incidents in your local network to predict or detect an attack.

RTM – Real Time Monitoring, is more of a Security Operating Centre capability to have a team of dedicated security engineers monitoring the egress and ingress points of your network or firewalls for proactive threat detection.

IAM – Identity and Access Management solution.  They helps an organisation to manage the entire lifecycle of an identity and its respective rights and privileges in an organization to keep your users in least privilege mode and process access on need to know basis.  The modern IAM solutions have even work flow and application whitelisting capabilities.

PAM – Privilege Access Management solution which majorly deals with Admin and Service Accounts operating in an organisations that are used by perpetrators through malware inflicted privilege escalation attacks.  A PAM solution help in removing the admin privileges embedded in enterprise applications by effectively substituting them with secured API calls.

AI based Anti-Malware – Artificial Intelligence based AntiMalware solution that can help you defend against ZeroDay or even Negative Day vulnerabilities exploits.

Application White Listing – Only allow what is required to run and operate in your environment or black list what you know is not safe.  This not only avoid Software Licensing issues, it also prevent a malicious payload from executing itself and causing harm as in the case of Ransomware attacks.

Abhijeet Mukherjee is Digital Security Evangelist and he works for Arab Bank Australia.


Leave a Reply